Egressor: A Tool for Checking Router Configuration

MITRE has released a freeware tool that allows a company to check the configuration of their Internet point-of-presence router. The tool will help companies determine whether their routers are configured to the Help Defeat Denial of Service Attacks guidelines. This configuration of egress filtering reduces the chance that their computers can unwittingly contribute to a distributed denial of service attack.

The tool has two parts; a generator and a receiver. The test generator (or "client") is being provided as C source code and the test receiver (or "server") is a PERL script. Both are currently known to work on LINUX, and the server also works on Solaris.

General Information

This egress filtering diagnosis tool is provided as a public service subject to the terms of the License Agreement. This tool is merely an aid; security remains the responsibility of the user.

This tool is intended to assist information security specialists in conducting a vulnerability analysis of their network by identifying potential weaknesses in their network configuration; however, the use of this tool can not guarantee adequate information security or that a network has adequate egress filtering. This tool should not be used on an information system without the specific authorization of the person responsible for the information security of that system. This tool is not intended to serve, and should not be considered, as a substitute for qualified information security specialists or an information security program tailored to your information system. You should consult with a qualified information security specialist to properly interpret the results of this vulnerability analysis and before taking any corrective action.

The tool is available to anyone who would like it. If you desire to discuss the tool, there is an e-mail list for egressor developers and users: egressor-list@lists.mitre.org. Send subscription requests to listserv@mitre.org with "subscribe egressor-list youremail@yourorg Your Name" in the body (i.e. "subscribe egressor-list John.Smith@aol.com John Smith").

Briefly, the client generates a stream of packets, some of which are spoofed. The server listens for test packets, and determines if spoofed packets were received as part of the test. The server then generates a report of the results, indicating whether spoofed packets were received or not. Figure 1 shows the two scenarios that the tool can find including the html versions of the reports. There is also a "daemon" option which causes the server to run indefinitely.

Figure 1. Egressor Tool Test Scenarios and Results

If you are interested in hosting a server version of the tool on the Internet for general public use, please contact us.

Egressor Client Details

Installation

Ensure you have a gcc compiler, and GNU make.
Ensure you have LIBNET installed.
Latest version: http://packetfactory.openwall.net/libnet
Change directories to where you wish to install the egressor directory
Untar egressor.tar:

tar -xvfz egressor.tar.gz
Edit makefile to refer to the location of libnet
Build the package:

make

Usage

The usage format is:

./egressor -s desired-source-ip.sourcePort - d destination-ip.destPort

Where:

desired-source-ip.sourcePort is the IP address you wish to spoof, including port number. The key element here is choosing the address to spoof. Some hints on that are below.
destination-ip.destPort is the IP address of the test server, including port number. Use the IP address of the test server you wish to use. The selection of port number is particularly important for ensuring the packets traverse your security devices (firewalls, etc.). Choose ports which are allowed outbound from your location. Some possibilities are:
- 23 - telnet
- 25 - mail
- 80 - WWW

EXAMPLE: ./egressor -s 1.2.3.4.1968 -d 192.168.3.25.80

Spoofing instructions

A key element of performing the test is selecting a spoofed address. This is the address which proper egress filtering should stop. What should you choose? Simply, you may select any legal IP address which is not in the legal address range served by your router.

Egressor Server Details

This part of the tool is intended to be used by experienced system administrators, and the instructions provided here are correspondingly brief.

Server Installation Instructions

This server has been tested and works on both Solaris (7) and Linux (Red Hat 6.1). The server is a Perl script, which also makes use of the Perl module Net-RawIP.

Steps:

If not already installed, download and install Perl.
(See http://www.perl.com/CPAN/src/latest.tar)
If not already installed, download and install libpcap.
(See ftp://ftp.ee.lbl.gov/libpcap.tar)
If not already installed, download and install Net-RawIP.
(See http://search.cpan.org/doc/SKOLYCHEV/Net-RawIP-0.09/RawIP)
Create results directory for output from server script
Edit server file:
- Make sure path to perl is correct
- Set variables highlighted at start of server script
Run server

Server Operating Instructions

Command Usage:

egressor_server.pl -i [-html] [-daemon]

i - interface for server to listen on
html - print output in html format (default is plain text)
daemon - run until killed (default is die after first session)

See the README-SERVER, in the tool download tar file, for more information.

More Information on Egress Filtering, and Denial of Service Attacks can be found in MITRE's Help Defeat Denial of Service Attacks: Step-by-Step.

Packetfactory home